Sarah Lefavrais
Banking’s Authentication Problem Has Changed
Banks are no longer fighting simple password reuse. They’re facing real-time phishing kits, MFA fatigue, session hijacking, AI-powered social engineering, and more.
Traditional MFA methods, such as OTP via apps, out-of-band SMS, and mobile push approval, continue to leave financial institutions vulnerable because:
They are still based on insecure passwords
They are increasingly bypassed
To make matters worse, compliance pressure is on the rise, with regulations such as DORA, Strong Customer Authentication (SCA) mandates, and Federal Financial Institutions Examination Council (FFIEC) guidance clamping down on how banks maintain resilience, develop code, and manage risk.
Yesterday’s access management solutions are no match for today’s emerging risk landscape. And yet the need for bulletproof financial authentication has never been higher.
As a result, phishing-resistant, cryptographic authentication, specifically FIDO, is rapidly emerging as the new baseline for banking security. The momentum behind passkey-based authentication extends well beyond the financial sector. Major technology providers including Microsoft, Google, and Apple have integrated support for passkeys across their platforms, helping accelerate mainstream adoption of FIDO-based authentication standards. The FIDO Alliance has also reported growing industry adoption as organizations seek phishing-resistant alternatives to passwords and traditional multi-factor authentication methods. As passkeys become increasingly familiar to consumers through everyday digital experiences, financial institutions are gaining a clearer pathway to deploying stronger authentication without sacrificing user convenience.But what exactly makes FIDO different?
What FIDO Actually Is (and Isn’t)
The FIDO (Fast IDentity Online) Alliance is committed to creating authentication standards that are more secure, private, and easy to use than passwords.
FIDO2 is the current standard, leveraging phishing-resistant cryptography to validate users via public and private key pairs.
How It Works
Public-key cryptography replaces shared secrets such as passwords or OTPs. The private key is bound to a specific domain, preventing threats like phishing replay attacks, so called phishing resistance. If the private key is bound to the user’s laptop, mobile device or security key, then it prevents adversary-in-middle (AiTM) attacks.
Since there are no secrets to share, FIDO2 prevents adversaries from capturing your credentials and using them to “log in” to platforms and systems.
FIDO is a lot of things, but it is:
Not just “passwordless”: It uses public key cryptography rather than switching to OTPs or links like typical MFA implementations do.
Not just hardware USB tokens: It can be smart cards, software-based, platform-based, multi-device syncable passkeys, device-bound passkeys, andbiometric authenticators.
Not limited to consumers: The second generation of FIDO standard has beendesigned for use by government, enterprise, and high-security use cases (like finance).
Here’s why that matters specifically in banking.
Why Banking Is Uniquely Exposed
Digital transformation has fundamentally reshaped how banks engage with their customers. Where once most financial interactions took place in person, today the vast majority happen online, making customer identity the centerpiece of every security decision.
The Thales 2025 Identity & Access in Banking, Financial Services & Insurance Report reflects just how fast this landscape is shifting: one in five organizations expects its customer identity base to more than double within the next 12 months. As those identity volumes grow, financial institutions are reporting greater difficulty in monitoring and mitigating the risks they entail.
The result is a widening attack surface, leaving banks increasingly exposed to account takeover and fraud, two of the most financially and reputationally damaging threats in the sector.
High-value digital transactions are magnets for targeted phishing campaigns and credential-based attacks. The Thales 2025 BFSI report highlights identity and access management as one of the sector’s most pressing security challenges, with credential-based threats, account takeover, and fraud consistently among the leading risk concerns for financial institutions worldwide.
Banking ecosystems include more than just their software; employees, customers, fintech partners, and third-party vendors all contribute to the attack surface.
According to the Thales 2026 Data Threat Report:
Credential theft is the leading attack technique against cloud infrastructure, with 67% seeing an increase in these incidents
As a result, 52% of respondents regard identity and access management as the most pressing security principle
But what’s the harm of one bad login?
The IBM Cost of a Data Breach report has the answers:
The average cost of data breaches in the financial sector is $5.56 million, well above the global average of $4.44 million
Compromised credentials ($4.67 million) and phishing attacks ($4.80 million) are consistently amongst the most expensive attack vectors
Unfortunately, in banking, authentication failures are not just account compromises; they are financial loss events. And they can be potentially disastrous ones.
This is why FIDO is more than just UX improvement: it’s a risk-reduction architecture fundamental to the safety of financial institutions and their data. While it does improve usability, it really improves cybersecurity, and it does it in a way that makes it the “gold standard” of secure authentication.
So, what makes FIDO stand out?
Five Reasons FIDO Is Becoming the Gold Standard
1. Built-In Phishing Resistance
FIDO helps high-value targets evade phishing by using cryptographic challenge-response, a method in which the server generates a new random “challenge” for every login attempt.
During registration, the private key is bound to a specific online service domain. If, during the user authentication process, the target domain is fake (for example, when clicking a link in a phishing email), the private key won’t match, and the login will fail, preventing any phishing attempts. In high-risk scenarios where passkeys are bound to a device, the FIDO protocol also makes Adversary-in-the-Middle (AiTM) impossible.
2. Strong Multi-Factor by Design
FIDO also upgrades simple one-dimensional logins with built-in MFA-by-design. It requires both:
Something you have (device, hardware security key, platform authenticators)
Something you are or know (biometrics or PIN)
By requiring users to leverage a combination of these two every time, FIDO banking authentication eliminates the risk of shared secrets.
Instead, these physical authentication elements ensure that old credentials can’t be reused and that the actual device owner is present every time.
3. Reduced Fraud and Operational Costs
Tighter authentication means fewer downstream problems. Bypassing passwords altogether translates to a lower password reset volume, which turns into direct operational savings; it’s been cited that between 20-50% of all helpdesk calls are attributed to this issue alone.
More secure logins also mean fewer successful fraud attempts, resulting in a reduced fraud investigation workload; teams spend less time filling out SARs, issuing temporary cards, analyzing transaction data, and initiating chargebacks.
Finally, fewer account takeover incidents occur as the most common methods of credential fraud – stolen credentials, credential stuffing, and brute forcing – are mitigated by stronger FIDO security.
4. Improved Customer Experience
The impact on customers isn’t lost either.
Banks competing for online mobile banking share realize that UX is everything in customer retention. FIDO enables a better customer experience, enabling banks to do more business and retain existing clientele.
That’s because passkeys are a consumer-friendly evolution, designed to help users log in faster and make banking on the go more convenient. Just a seamless, mobile-first journey that enables BFSI clients to do what they came to your institution (or website, or app) to do—connect with their resources.
5. Regulatory Alignment
As data privacy and cybersecurity requirements continue to evolve across the financial sector, implementing FIDO now keeps institutions ahead of the inevitable curve.
FIDO supports strong customer authentication principles by design, aligning with the zero-trust strategies required by an increasing number of frameworks: DORA, PCI DSS 4.0, GLBA, NIST SP 800-207, and PSD2 /PSD3, to name a few.
Authentication based on strong public-key cryptography rather than insecure passwords changes the game. It provides clear auditability and cryptographic assurance rather than relying on assumed trust.
In other words, FIDO gives banks audit-ready, phishing-resistant MFA banking across the browsers and platforms your clients rely on every day—and, most importantly, that are connected to your institution.
The New Baseline for Banking Trust
Phishing is evolving, and financial institutions are at the forefront of attacks. Or their employees and users are.
Threat actors go where the money goes, and the BFSI sector is the perennial “jackpot” for financially motivated fraudsters.
With regulatory expectations rising in tandem with risk, banks have more than fiduciary skin in the game: they’ve got their reputation to worry about, and all the customer trust that goes along with it.
On top of that, consumers increasingly demand frictionless experiences, and even banks are “easy come, easy go” when digital obstacles mount too high.
According to the Thales Digital Trust Index 2026 report, the use of (phishing-resistant) MFA and passkeys would make customers trust financial institutions more.
In this environment, phishing-resistant, cryptographic authentication is no longer innovation; it is infrastructure. And for many banks, FIDO is rapidly becoming the standard against which all other authentication methods are measured.
Author bio:
Sarah is a true team player who works in product marketing for enterprise authentication and access management solutions. Her passions lie in discovering how companies can secure access to their data and protect themselves from cyber-attacks. When not solving problems for big business, she likes distracting her 14-year-old son from his Nintendo Switch, singing and playing guitar with friends.
Sarah leads technology alliances within Thales’s IAM product marketing team. For the past several years, she has been fully involved in the Go to Market activities of Thales Passwordless FIDO Authentication solutions for Enterprises, contributing to several roundtables, presentations and demos around passwordless authentication in major events like RSA, FIC and Gartner.
Sarah contributes to the FIDO Alliance Marketing Committee. Before joining Thales IAM and focusing on cybersecurity, Sarah led Telecom & IOT marketing initiatives in Gemalto.
